- “When was the document created?”
- “When was a file last modified?”
These are two of the most common questions asked by lawyers in relation to dates. They are easy to ask, very fair, and reasonable to expect an answer to.
But there are so many problems answering these questions “correctly”.
Firstly the question asked by the lawyer needs to be interpreted by those conducting the investigation. Do they mean the date the document was “first created”, when it was created on the “current computer”, or when it came to be “created” in its current state.
Below are a few examples scenarios that demonstrate the problem.
- User A creates a document on a file server on 1st Feb 2003. The file is then copied to a desktop of User B on 2nd March 2004.
- User A creates a document on a file server on 1st Feb 2003. on 8th September 2008 Use A emails it to User B. User B reads the email, via Outlook, on 9th September 2008. User B then saves the document onto his desktop on 10th September 2008.
- User A creates a blank sales order form, to be used as a template, on 1/1/09. User B fills access this template, fill in the details of the form and “creates” a sales order form on 1/2/09.
- In question 1 which is the created is the “created date” of the document 1/2/03 or 2/3/04?
- In question 2, which is the “created date” of the document? 1/2/03, 8/9/09, 9/9/09, or 10/9/9?
- In question3, what is the created date for sales order form? 1/1/09 or 1/2/09
There does not appear to be a right answer, given the limited question. The answer will depend on the needs of the client for each question. Therefore it is the job of the technical advisor/consultant to ask their client, what they are trying to achieve, what they need the information for, and then, if possible find that information.
If a lawyer asked for the created date of the document in example (3), the correct answer for any service provider, or technical consultant, could well be:
“What are you trying to show from this date?”
If the solicitor/lawyer replied:
“The case hinges on how the sales order templates were created. It’s believed the template changed at a certain date, and we need to know what the date is”
Then the consultant would know to seek out the date the original form was created. It may be that this date is not available, but it is critical that the computer forensics consultant or technical advisor does not provide the right date, for the wrong question.
Given the huge number of dates for any given document, created, modified, access, last written, last saved, first created, emailed, first opened, last opened, last printed, it is critical that any computer forensics, or electronic discovery professional know the dates they are looking for, and what they are providing to the client
This can only be achieved by asking for questions of the client and the looking at the technology.